16:39
Here's a habit I'm willing to bet most of you have. You sign up for a new app or website and instead of filling out the form, you can just hit continue with Google. One click, you're in and you're done. I get it. I used to be exactly that person. And honestly, for a long time, it felt like the smart way to do things. Why manage a dozen different passwords when Google already knows who you are? It felt like the most obvious move. Then I started actually thinking about what that button represents. And once I did, I couldn't unsee it. Today, I'm going to make the case that signing with Google is one of the worst digital habits most people have. And I'm going to back that up with real stories of
people who found out the hard way and a data angle that most people aren't even aware of. And by the end of this video, you're either going to think I'm paranoid or you're going to open your Google account settings and start cleaning house. Now, before I get into the horror stories, let me just frame what's actually happening when you use this feature. When you hit sign in with Google or continue with Google on a thirdparty app, you are not just logging in conveniently. You are tying that account's existence to your Google account. If you ever lose access to Google, you lose access to that service, too. And depending on how the app is set up, you might not even be able to recover it through the app directly.
Your only way back is through Google. Now, think about how many apps you've done this with over the last few years. Most people who have smartphones for the last decade have used signin with Google on a dozen services. Your food delivery, your ride share, your smart home, your language learning apps, your exercise tracker, your streaming subscriptions, possibly even your electricity provider. Now, I've listed all these things because it's actually crazy how many times we do this and we don't even notice. Every single one of those is now sitting behind one door with one lock and Google holds the key. Now, I know
what you're thinking. Google isn't going to ban me. I'm not doing anything wrong. And honestly, statistically, you're most likely right. Google disables roughly 270,000 accounts per year for policy violation. Some deserved it, some didn't. All of them lost everything overnight. In 2021, a man identified as Chris by Android police had his decade old Gmail account disabled overnight during the COVID job market. He lost his Gmail, which meant he couldn't respond to job applications. He lost his Google, which meant he lost his phone number. He then lost his Google Fiber, Google Play, Google Drive, and Google Photos all within the same day.
No phone number, no email, couldn't respond to job interviews, couldn't access his own bank account because his two-factor authentication was tied to his Google account. It's kind of crazy. There's also the case of Mark, a father whose account was banned after a photo autosynced with his Google Drive. Police cleared him. He appealed with the police report and Google refused to reinstate the account, saying it stands by its decision. A Google ban isn't just losing your email. It's a blackout from every Google service tied to that account and it cascades. Every third-party service using signin with Google is now locked.
Every account that uses your Gmail for password resets becomes harder and harder to recover. And here's the part that should really land all this. If you're an Android user, a banned Google account means your entire smartphone can work properly. You can no longer sync your data. You can't download any apps or get notifications for some important applications on your phone. Now, I'm not here to scare you in any way. I'm trying to make you understand the stakes that are currently happening because most people don't think about this until it happens to them. Okay? So, that's the account ban risk. But let's say you're responsible. You're not doing anything that would get your account flagged and
you're confident that Google won't come after you. That's fine. There's still a security angle here that should make you reconsider. It's called an advisory in the middle attack and it can bypass your two-factor authentication entirely. And I want to walk you through how this works because it genuinely is clever and is scary at the same time. Most people think that if they have two-actor authentication enabled, meaning Google should text you a code or you can tap yes that this is me on your phone, they're protected from email fishing. That was true for old-fashioned fishing, is not true anymore. Here's what happens in modern-day attacks. Instead of trying to steal your password with a fake login
page, the attacker sets up a reverse proxy, essentially a mirror of your real Google signin page running in real time connected to Google's actual servers on the back end. When you click continue with Google on what you think is a legitimate website, you're actually on this mirrored page. You enter your Gmail, Google asks you to verify, you tap yes, this is me on your phone, and authentication is complete. The attacker takes that pass and then uses it on their own device and they're now logged in as you with no password. No need to get past your two-factor authentication ever again. Traditional two-factor authentication is largely obsolete against this kind of attack because you
authenticated yourself. You just did it on the wrong page. Now, not everyone is going to be targeted by a professional fishing operation. But here's the thing, you don't get to know in advance whether you are a target. And the simplest way to reduce your exposure is to stop clicking sign in with Google on thirdparty apps as a default behavior. If you only ever sign into Google directly through google.com or gmail.com, the attack surface for this kind of thing shrinks dramatically. Now, there is a third issue that is less dramatic, but worth talking about, especially in 2026. When you connect a bunch of services to your Google account through this login method, you're not just creating a security risk. You're
handing Google an increased detail map of your life. Google's own 2026 privacy policy makes it clear that it collects not just your name and your email, but the apps that you use, how often you log into them, and from where. Over time, Gemini and Google's other AI system can piece together a behavioral profile of your habits, things you never really explicitly shared, which days you check your mental health app, when you track your exercise goals, how often you order food, and what time of the day. Google has said it doesn't use personal data directly to train its own models. Essentially, every time you sign in with Google on a new service, you're expanding the data footprint that Google
builds around you, not just for its own services, but across the broader web. Look, I'm not going to tell you that Google is evil. Doesn't make sense if I do. I use Google products every single day. But there's a difference between the data Google collects from its own services, which you consciously opt into, and the data it collects from knowing you're using a mental health app at 10 p.m. every single Monday. You should at least be making that trade consciously, not just because clicking a button is faster. All right, what's the practical fix? It's not glamorous, but it works. Create a real account. Yes, that means more usernames and more passwords. Yes, it means a bit more
friction upfront, but this is exactly what password managers exist for. And if you're not using one in 2026, you're making your digital life harder than it needs to be. Tools like one password or even proton pass handles all this. You remember one master password, the manager generates strong, unique passwords for every service and autofills them. It takes maybe 2 minutes to set up a new account properly instead of clicking continue with Google. That's a trade worth making. The ideal setup is to spread your account across a few different email addresses, some on your main Gmail, some on your secondary email, and maybe some using Proton email. If the idea of migrating everything at once feels overwhelming,
start small. Pick your five most important apps, the ones where losing access would genuinely hurt you, and switch those to a standalone account this week. Then work through the rest of it over time. If you want a middle ground option before going fully standalone, pass keys are worth looking into. You can set these up through your professional manager rather than through Google, which gives you the convenience of a one-click login without handing Google the gatekeeping role. It's not a perfect solution, but is better than the current setup most people have. And here's the honest summary. Signing with Google is a feature that is designed for convenience, and it delivers on that. But convenience is not the same as
safety, and it's definitely not the same as control. Most people who have lost everything to a Google account ban or a fishing attack didn't see this coming. They thought about what you're thinking about right now, that it wouldn't happen to them, that they're not going to do anything wrong, that Google wouldn't do that. And that's it. That's the whole playbook. Your digital life is worth more than the 10 seconds that you save by clicking one button. And if you have a story about losing your Google account, let me know down in the comments. I would like to know and have a discussion. Thank you guys for watching this video. My name is KJ and
I'll catch you guys in the next one.
